In Episode 5 of Know Your Adversary™, we discuss a 2018 Nisos insider threat investigation of network sabotage that caused almost $1,000,000 in business operations loss. Following a recent merger and acquisition transaction, IT engineers of the nearly acquired subsidiary were upset with their new roles. They were also disgruntled over the fact that the parent company refused to integrate with their open source and cloud infrastructure. They decided to resign (one unbeknownst to the parent company), sabotage the core subsidiary routers, delete all activity of their wrongdoing, and actively conspired to steer the investigation away from their actions while accepting new employment. The results of the sabotage were a complete subsidiary network outage for over a week and a subsequent Nisos and FBI investigation that led to the arrest and detention of one co-conspirator.
We will focus on the investigation, recovery, and attribution of threat actors with heightened focus on post-M&A activity. These exigent situations are often a perfect storm of insider control of systems and disgruntled employees seeking to cause damage at any expense.
Here are some of the key takeaways from the episode:
- Company acquisitions are often a merger of cultures and visions. Plans should be in place to ensure proper roles, responsibilities, and accountability post-acquisition are fully considered. Some deliberation should go towards personnel who may maintain heightened privilege access in the network.
- Proper diligence should be conducted on IT and security programs pre-diligence as a matter of routine just like financials and compliance. A plan should be in place to integrate company infrastructure on Day 1 of close post acquisition.
- Ensuring confidentiality, integrity, and availability of data, systems, and networks following a breach or incident is crucial. Initiating attribution of identities matters in investigations, especially those deemed to be insider threats.
- Attribution almost certainly involves “going outside the firewall” and looking for operational security mistakes and artifacts of bad actors.
In this investigation, the discovery of a third-party virtual server Linode instance ultimately gave critical evidence leading to high confidence in attribution.